TRENDING

CyberEye

Blackhole exploit site turns the tables on spammers

There is an old saying that you can’t kid a kidder. But apparently you can spam a spammer.

Researchers at Symantec came across a website apparently advertising the latest version of the popular Blackhole exploit kit. But upon closer examination it appears to be merely a front for a site advertising services for hackers.

“This method is not new,” Symantec security response manager Lionel Payet wrote in a blog posting. "Spammers often use names of famous people and products or the latest news events to try to lure users into reading their spam e-mails. However, it is quite unusual to see a popular exploit kit name used in this manner,” he wrote.

Exploit kits are a product of the commercialization of hacking as it has become dominated by organized crime. Increasingly professional services are being offered to those who want to carry out attacks without having a lot of technical expertise. The kits bundle packages of exploits for known vulnerabilities and can be licensed to deliver malware to victims on behalf of the licensee.

Blackhole can be licensed and customized at reasonable prices, starting at about $50. The customer places it on a server, and victim traffic can be delivered to the malicious server through a variety of methods, such as a legitimate webpage that has been compromised or a link in a spam or phishing e-mail, the latter being the most common type of malware campaign used against government users. Once a victim connects, the computer is scanned for vulnerabilities, the appropriate exploits are uploaded, and another ’bot joins the ’net.

Version 2.0 of Blackhole was released earlier this month and, according to Threatpost, it contains extensive new features. It has cleaned up its contents to remove older exploits for vulnerabilities that are well-known and patched, added support for Windows 8 and mobile devices, and included a random domain generator to allow attacks to be delivered from random, short-lived URLs that can be harder to spot and block.

The phony Blackhole 2.0 site is a counterfeit rehash of an old Blackhole page, according to Payet, offering services for registering domain names, hosting servers and encryption. “Altogether these services could offer cybercriminals a complete infrastructure to be used for hosting cybercrime operations,” he wrote.

But not Blackhole. If you visited the page and feel ripped off, there’s another old saying: What goes around, comes around.